A certificate installed on an Exchange Server 2010 server may display the following error message.

The certificate is invalid for exchange server usage

This can occur when the certificate cannot be verified to a trusted certificate authority. This may occur when the certificate has been issued by a private certificate authority.

To correct the problem you must install the root certificate for the certificate authority. For a private certificate authority this can be obtained from the web enrollment page (eg http://ca-server/certsrv).

Browse to the web page and click on Download a CA Certificate, Certificate Chain, or CRL.

Click to download either the CA Certificate (if the certificate was issued by a root CA) or the Certificate Chain (if the certificate was issued by an intermediary CA).

Launch a new Microsoft Management Console (Start -> Run, mmc.exe) and add the Certificates snap-in to it, connecting to the Computer Account for the Local Computer.

Navigate to Trusted Root Certification Authorities. Right-click on Certificates and choose All Tasks and then Import.

Browse and choose the CA Certificate or Certificate Chain that you downloaded earlier.

Place the certificate in the Trusted Root Certification Authorities store.

Complete the import wizard and then refresh the Exchange Management Console, and the certificate should now be valid.

I’ve just had EMC showing the certificate being invalid. I used Enable-ExchangeCertificate to force the certificate to be used for IIS, and this allowed me to see the real issue. The certificate had been revoked due to a mis-communication with our certificate supplier.

I try this, but certificate is always invalid.
I created with the “New Certificate” a certificate request, let it sign by a private root CA
and (Root CA certificate & Exchange), both imported certificates

I get exactly the same error message. I bought SSL certificate from godaddy.com. Can you please tell me where can I get the root certificate for godaddy? I don’t know what is this web enrollment page? what I understand is that there must be a web enrollment page for godaddy and I need to download Root cert for godaddy from there and install it on my servers somewhere?

The web enrollment page you see there only relates to a private CA. For a commercial CA such as Godaddy you’ll need to check their support pages or contact them to ask about any other required certificates you need to install to get your SSL certificate working.

(To add Exchange to Linux mail, we only put the name/IP of Exchange server and Administrator account into it. Besides, Linux mail server also support Autodiscover option to lookup Exchange e-mail. To create a mailbox connecting to Exchange email, we only create name and give a exchange email)

And some guys tell me to use multiple hosts, you will create SAN certificate. So, from Exchange server, I create a SAN with all information:

4. if a user of group1 or group 2 or Linux connects to Exchange server, do we have the log in Exchange to know that ? and in log, whether all trace information point to primary host name or suitable name as in plan ? – I meant that:

group 1 connects to Exchange ny host: mail1.test.com. In Exchange logs, this show that users of group 1 connect to host mail1.test.com, or always point to ex.local.com ?

5.

5.1. After installing SAN, all connection to Exchange are verified by SAN no matter what the end-user is Outlook or other servers ?

We have an issue with clients not being able to connect with outlook anywhere. OWA works and so do our mobile devices. The only thing that has changed recently was our CAS certificate which is now SHA2(Entrust).